# MikroTik Captive Portal Integration Guide
# Hotspot using MikroTik
This guide walks you through configuring a MikroTik router to work with GATE as an external captive portal. Users register by entering their email and name through the web portal, with information stored in GATE's database (AAA server) and sent back to the MikroTik device. The MikroTik then sends an Access-Request to the server, which responds with an Access-Accept, granting internet access.
## Hardware & Software Requirements
- **Model**: RB952Ui-5ac2nD
- **Architecture**: mipsbe
- **Firmware**: 7.18.2
## Configuration Overview
This configuration involves several key components:
1. **Bridge Setup** - Creates a unified network interface
2. **Network Configuration** - IP addressing, DHCP, and firewall rules
3. **RADIUS Integration** - Connects to GATE's authentication server
4. **Hotspot Configuration** - Portal pages, user profiles, and server setup
## Bridge for Hotspot
The first step is creating a bridge interface to connect WiFi and Ethernet interfaces into a single network.
### Creating a Bridge Interface
1. Navigate to **Bridge** in the left menu and click **New**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/wbvw6GiAxT9SCWhZ-image1.png)
2. In the new interface form:
- Set **Name** to "bridge-for-hotspot"
- Leave other settings at default values
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/FuWZajeD5f3KShvY-image2.png)
The bridge will connect your interfaces for hotspot functionality, allowing traffic to flow between interfaces and creating a unified network.
## Assign WiFi Interfaces
Next, assign WiFi interfaces to the bridge to allow wireless clients to connect.
### Adding WiFi Interfaces to the Bridge
1. Go to **Bridge** then click the **Ports** tab
2. For each wireless interface (wlan2GHz and wlan5GHz):
- Click on the interface
- From the **Bridge** dropdown, select "bridge-for-hotspot"
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/xmJbuYm0vpeU8wvL-select-wifi-interfaces.png)
This creates a unified network for hotspot traffic, with all wireless clients connecting through these interfaces.
## Network Configuration
Configure network settings to establish the foundation for your hotspot and ensure proper communication.
### IP Address Assignment
First, assign an IP address to the bridge interface:
1. Go to **IP** → **Addresses**
2. Click **New**
3. Configure the following:
- **Address**: `10.5.50.1/24`
- **Network**: `10.5.50.0`
- **Interface**: "bridge-for-hotspot"
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/meK7OuAYqnoJLJFl-ip-address-2.png)
This IP address (10.5.50.1) will serve as the gateway for all devices connecting to your hotspot.
### IP Pool Configuration
Create an address pool for the hotspot:
1. Go to **IP** → **Pool**
2. Click **New**
3. Configure:
- **Name**: `pool-hotspot`
- **Addresses**: `10.5.50.10-10.5.50.254`
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-09/SQQToSCgw42j29ne-pool-addresses.png)
### DHCP Server Setup
Configure the DHCP server to automatically assign IP addresses to clients.
#### DHCP Networks
1. Go to **IP** → **DHCP Server** → **Networks** tab
2. Click **New**
3. Configure the network:
- **Address**: `10.5.50.0/24`
- **Gateway**: `10.5.50.1`
- **DNS Servers**: `8.8.8.8,8.8.4.4` (Google DNS)
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/eR3fs4g7DT8pjHCI-ip-dhcpserver-network2.png)
#### DHCP Server
1. Go to **IP** → **DHCP Server** → **DHCP** tab
2. Click **New**
3. Configure:
- **Name**: "hotspot-dhcp"
- **Interface**: "bridge-for-hotspot"
- **Address Pool**: "pool-hotspot"
- Leave other settings at defaults
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/E7SpTQUQdrCtvT12-ip-dhcpserver-dhcp2.png)
The DHCP server will now assign IP addresses to clients from the specified pool.
### Firewall Configuration
Create a firewall rule to allow RADIUS authentication traffic:
1. Go to **IP** → **Firewall** → **Filter Rules** tab
2. Click **New**
3. Under **General** tab:
- **Chain**: `input`
- **Protocol**: `udp`
- **Dst. Port**: `1812,1813,3799`
4. Under **Action** tab:
- **Action**: `accept`
5. Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/8OGxpLTojcZDiRaA-firewall-4.png)
This rule allows communication between your MikroTik router and GATE's RADIUS server.
## RADIUS Configuration
Configure RADIUS settings to connect to GATE's authentication server.
### RADIUS Server Setup
1. Go to **RADIUS** and click **New**
2. Configure:
- Under **Service**, enable only **hotspot**
- **Address**: Enter your GATE server IP address
- **Secret**: Enter the shared secret password
- **Authentication Port**: `1812`
- **Accounting Port**: `1813`
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/FIWTcSqhQExxv1YB-radius-2.png)
### RADIUS Incoming Configuration
1. Go to **RADIUS** and click **Incoming**
2. Configure:
- Enable **Accept** toggle
- **Port**: `3799`
- **VRF**: Select "main"
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/WY7A75OcIhrrRCQN-radius-4.png)
### Understanding RADIUS Ports
- **Port 1812** (Authentication): Validates user credentials
- **Port 1813** (Accounting): Sends session data (connection time, data usage)
- **Port 3799** (CoA): Allows dynamic session modification
## Hotspot Configuration
The Hotspot feature provides controlled internet access through a captive portal system integrated with GATE.
### Custom Portal Files
Create custom HTML files for the external captive portal integration:
#### Required Files
Create these three files locally with the content below:
**login.html**
```html
Redirecting to Registration Portal
Redirecting to registration portal...
If you are not redirected automatically, please click here.
```
**logout.html**
```html
Logged Out
You have been logged out
Thank you for using our service.
Session duration: $(uptime)
Downloaded: $(bytes-in-nice) / Uploaded: $(bytes-out-nice)
Login Again
```
**redirect.html**
```html
Redirecting
Redirecting to registration portal...
If you are not redirected automatically, please click here.
```
#### File Upload Process
1. Connect to your MikroTik router using an FTP client
2. Navigate to the `/flash` directory
3. Create a new folder (e.g., `myhotspot`)
4. Upload all three HTML files to this folder
> **Important**: Use FTP to preserve MikroTik variables like `$(mac)` and `$(ip)`. These variables are automatically replaced with actual values when users access the portal.
### Walled Garden Configuration
Configure the Walled Garden to allow access to GATE's servers without authentication:
1. Go to **IP** → **Hotspot** → **Walled Garden** tab
2. Click **New**
3. Configure:
- **Comment**: "Wildcard zequenze"
- **Action**: `allow`
- **Dst. Host**: `*.zequenze.com`
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/mkf9ojM1hk7rXenh-hotspot-wallgarden2.png)
This ensures users can reach GATE's registration page before authentication.
### User Profiles
Create a user profile to define connection parameters:
1. Go to **IP** → **Hotspot** → **User Profiles** tab
2. Click **New**
3. Configure:
- **Name**: "profile-mikrotik"
- **Address Pool**: "pool-hotspot"
- **MAC Cookie Timeout**: "00:30:00" (30 minutes)
- Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/N2nB2q4mR5s5XoA3-hotspot-user-profiles-2.png)
### Server Profiles
Configure how the hotspot server operates:
1. Go to **IP** → **Hotspot** → **Server Profiles** tab
2. Click **New**
3. Configure the following sections:
**General Settings:**
- **Name**: "Gate-html"
- **DNS Name**: "hotspot.gateway"
- **HTML Directory**: "flash/myhotspot" (path to your uploaded files)
**Login Settings:**
- Enable **HTTP CHAP**
- Enable **HTTP PAP**
**RADIUS Settings:**
- Enable **Use RADIUS**
- **MAC Format**: "XX:XX:XX:XX:XX:XX"
- Enable **Accounting**
- **Interim Update**: "00:05:00" (5 minutes)
4. Click **Apply** then **OK**
[](https://docs.zequenze.com/uploads/images/gallery/2025-04/Jss9T5dRYKB3zf5C-hotspot-server-profiles-4.png)
### Hotspot Server Creation
Create the actual hotspot server:
1. Go to **IP** → **Hotspot** → **Servers** tab
2. Click **New**
3. Configure:
- Enable the **Enabled** toggle
- **Name**: "hotspot1"
# Zequenze Web Portal Setup
## Introduction
This guide walks you through the complete process of setting up a dynamic web portal for your MikroTik hotspot using Zequenze GATE. The MikroTik device will redirect users to this external web portal, where they can register or log in to access your network services.
## Table of Contents
- [Prerequisites](#bkmrk-prerequisites)
- [Creating a Dynamic Form](#bkmrk-creating-a-dynamic-form)
- [Creating AAA User Profiles](#bkmrk-creating-aaa-user-profiles)
- [Adding RADIUS Clients](#bkmrk-adding-radius-clients)
- [Creating Portal Pages](#bkmrk-creating-portal-pages)
## Prerequisites
Before beginning this setup, ensure you have:
- Access to Zequenze GATE admin portal
- Admin credentials with appropriate permissions
- A MikroTik device configured for external portal redirection
## Creating a Dynamic Form
Dynamic forms collect user information during the registration process. This form will capture essential user data before granting network access.
### Step 1: Access the Forms Section
1. Navigate to **Portals** in the left sidebar menu
2. Select **Templates** from the submenu
3. Click on the **Forms** tab in the center of the screen
4. Click the blue **+ Add** button to create a new form
[![![Image: 1.1_form_1.png]](https://docs.zequenze.com/uploads/images/gallery/2025-05/scaled-1680-/9vstZOAQYpXIC2ec-1-1-form-1.png)](https://docs.zequenze.com/uploads/images/gallery/2025-05/9vstZOAQYpXIC2ec-1-1-form-1.png)
*Navigation path: Click (1) Portals in the sidebar, (2) Templates, (3) Forms tab, and (4) the Add button.*
### Step 2: Configure Basic Form Information
1. Enter a descriptive name for your dynamic form (e.g., "hotspot-mikrotik-form-v1")
2. Review the JSON data section where form components will be added
3. Select your organization from the dropdown menu
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/38EZwjpoKwY6QuBp-1-1-form-2.png)
*Form creation screen showing (1) Name field, (2) JSON data section, and (3) Organization selection.*
### Step 3: Add User Input Fields
#### Access User Fields Menu
1. Click on **User Fields** in the left panel
[![![Image: 1.1_form_3.png]](https://docs.zequenze.com/uploads/images/gallery/2025-05/scaled-1680-/bDyGAAPeym1hhk8X-1-1-form-3.png)](https://docs.zequenze.com/uploads/images/gallery/2025-05/bDyGAAPeym1hhk8X-1-1-form-3.png)
*User Fields menu option highlighted.*
#### Add Required Fields
2. From the available user fields list, locate fields such as **Email**, **First name**, and **Last name**
3. Drag and drop each desired field to the "Drag and Drop a form component" area
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/26rx3y9cbwv6uy28-1-1-form-4.png)
*Available User Fields options list.*
#### Configure Email Field
4. Drag the **Email** field from the list to the form area
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/KdhtWbw10AGtKH7e-1-1-form-4-1.png)
*Dragging the Email field to the drop area.*
5. In the field properties popup:
- Click the **API** tab
- Verify or customize the Property Name (e.g., "email")
- Click **Save**
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/FOCFCvrRmrrpCGvs-1-1-form-5.png)
*Selecting the API tab in field configuration.*
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/Y983QrNrihXmAIkX-1-1-form-6.png)
*API configuration showing (1) Property Name field and (2) Save button.*
6. Repeat this process for **First name** and **Last name** fields
### Step 4: Add Submit Button
1. Click on **Submit buttons** in the left panel
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/nA27PHUJxAZovWeu-1-1-form-7.png)
*Submit buttons menu option.*
2. Drag and drop the **Register button** to the form area
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/9UnzRGM8b7GfluZf-1-1-form-8.png)
*Selecting and dragging the Register button.*
3. Configure the register button:
- Click the **API** tab in the popup window
- Set the Property Name (e.g., "register_trigger")
- Click **Save**
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/QJuFWUIwaUQQliXI-1-1-form-9.png)
*Button API configuration showing (1) API tab, (2) Property Name field, and (3) Save button.*
### Step 5: Save Your Dynamic Form
1. Click the blue **Save** button at the bottom left of the screen
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/EvRe8WwDRddovyr0-1-1-form-10.png)
*Save button highlighted at the bottom of the form creation screen.*
2. Verify successful creation - the form name and ID should appear at the top of the screen
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/lyM1nREd32bgIu1J-1-1-form-11.png)
*Saved form displaying (1) Form name and (2) Form ID at the top.*
### Form Verification Checklist
After saving, your dynamic form should include:
- ✅ Email field for user identification
- ✅ First name and Last name fields for personalization
- ✅ Register button for form submission
- ✅ Auto-generated form ID for system reference
### Advanced Customization Options
You can enhance your form with additional features:
- **Custom fields** for collecting specific business information
- **Multiple submit button types** (Login, Update, etc.)
- **Layout adjustments** for improved user experience
- **Validation rules** for data quality control
---
## Creating AAA User Profiles
AAA (Authentication, Authorization, and Accounting) user profiles define the network access parameters and bandwidth limitations that will be applied to users through RADIUS communication with your MikroTik device. These profiles use AVP (Attribute-Value Pair) attributes that will be sent to the MikroTik device.
### Step 1: Access AAA User Profiles
1. Click on **AAA Services** in the left sidebar menu
2. Select **Profiles** from the submenu
3. Click on the **User profiles** tab at the top
4. Click the blue **+ Add** button to create a new profile
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/02zndzSipggPDUYY-2-1-aaa-profiles-1.png)
*Navigation path: (1) AAA Services in sidebar, (2) Profiles, (3) User profiles tab, and (4) Add button.*
### Step 2: Configure Basic Profile Information
1. Enter a descriptive name for your profile (e.g., "MikroTik 1Mbps Profile" - typically referencing the speed or specific AVP attributes)
2. Set a **Short-name / code** for system reference (e.g., "mktk-1m")
3. Select your organization from the dropdown menu
4. Click the **Save** button
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/EnmhIL5NCfK77TyZ-2-1-aaa-profiles-2.png)
*Profile creation screen showing (1) Name field, (2) Short-name/code field, and (3) Organization selection.*
### Step 3: Add MikroTik RADIUS Attributes
After saving the basic profile information, configure the specific MikroTik attributes:
#### Required Attributes Configuration
1. **Mikrotik: Rate-Limit (8)**
- Set value to bandwidth limitation (e.g., "1M/1M" for 1 Mbps download/upload)
2. **Mikrotik: Mikrotik-Group (3)**
- Set value to "profile-mikrotik" (must match your MikroTik user profile name)
3. **Auth-Type (1000)**
- Set value to "Accept" for authentication verification
4. Click **Save** to apply all changes
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/Q4w869010wf9q7C8-2-1-aaa-profiles-3.png)
*Attributes configuration showing (1) Rate-Limit attribute, (2) Mikrotik-Group attribute, (3) Rate-Limit value, (4) Mikrotik-Group value, (5) Auth-Type attribute, (6) Auth-Type value, and (7) Save button.*
### Important Configuration Notes
> **Critical:** The "profile-mikrotik" value must match exactly with the user profile name created in your MikroTik device configuration.
> **Reference:** For detailed MikroTik device configuration, see the [official Zequenze documentation](https://docs.zequenze.com/books/gate/page/hotspot-using-mikrotik#bkmrk-user-profiles).
### Bandwidth Configuration Examples
| Profile Type | Rate-Limit Value | Description |
|--------------|------------------|-------------|
| Basic | 1M/1M | 1 Mbps download/upload |
| Standard | 5M/5M | 5 Mbps download/upload |
| Premium | 10M/10M | 10 Mbps download/upload |
| Unlimited | 100M/100M | High-speed access |
### Verification Checklist
After saving, verify your AAA user profile contains:
- ✅ Descriptive name and short-name code
- ✅ Rate-Limit attribute with bandwidth values
- ✅ Mikrotik-Group attribute linking to MikroTik profile
- ✅ Auth-Type attribute set to Accept
- ✅ Profile ID displayed at the top
---
## Adding RADIUS Clients
RADIUS clients represent your MikroTik devices in the GATE platform, enabling secure authentication and authorization communication between GATE and your network infrastructure.
### Step 1: Access AAA Clients Section
1. Click on **AAA Services** in the left sidebar menu
2. Select **Clients** from the submenu
3. Click the blue **+ Add** button to create a new RADIUS client
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/0VgHechi1vTtR8SJ-3-1-aaa-clients-1.png)
*Navigation path: (1) AAA Services in sidebar, (2) Clients submenu, and (3) Add button.*
### Step 2: Configure RADIUS Client Parameters
1. **Short name**: Enter an identifier for your MikroTik device (e.g., "mikrotik-hotspot-01")
2. **Organization**: Select the appropriate organization from dropdown
3. **Hostname/IP Address**: Enter your MikroTik device's IP address or hostname
4. **Secret**: Create a strong shared secret for secure communication
5. **Enable debug**: Check this option for development environments (disable in production)
6. Click **Save** to create the RADIUS client
[](https://docs.zequenze.com/uploads/images/gallery/2025-05/cbNBWqD7jYy6BbV2-3-1-aaa-clients-2.png)
*RADIUS client configuration showing (1) Short name, (2) Organization selection, (3) IP address field, (4) Secret field, (5) Enable debug checkbox, and (6) Save button.*
### Network Connectivity Requirements
> **Critical Network Note:** The IP address must have direct connectivity with GATE for bidirectional communication. NAT configurations can block return traffic from GATE to MikroTik, causing authentication failures.
### Security Best Practices
| Security Aspect | Recommendation |
|------------------|----------------|
| **Secret Strength** | Use minimum 16 characters with mixed case, numbers, and symbols |
| **Secret Uniqueness** | Use a unique secret for each RADIUS client to maintain security |
| **Secret Matching** | The secret used here must match exactly with the secret configured in your MikroTik RADIUS settings |
| **Production Settings** | Disable debug mode in production to reduce unnecessary logging |
| **Firewall